An extensive guide to Azure Virtual Network peering

Azure Virtual Network (VNet) peering is a feature of Microsoft Azure that enables seamless connectivity between two or more VNets.

This guide covers the fundamentals, use cases, prerequisites, and implementation details to help you master VNet peering.

Overview of VNet Peering

VNet peering connects two Azure VNets, allowing resources in these networks to communicate as if they are on the same network.

Peered VNets can span different regions and subscriptions within Azure.

Key Features:

Low latency and high bandwidth

Communication between peered VNets happens over Microsoft's backbone network.

No public internet

Traffic between VNets does not travel through the internet.

Support for all Azure resources

Peering works with VMs, Azure Kubernetes Service (AKS), App Service Environments, and more.

Global reach

Enables peering across different Azure regions.

Types of VNet Peering

Intra-region (Regional) Peering

• Peering between VNets in the same Azure region.

• Commonly used for microservices architectures within a single region.

Inter-region (Global) Peering

• Peering between VNets in different regions.

• Enables multi-region architectures for disaster recovery and load distribution.

Use Cases

1. Hybrid Cloud Architectures

Connect on-premises networks to multiple VNets via Azure VPN or ExpressRoute.

2. Resource Isolation

Use separate VNets for development, testing, and production environments but enable secure intercommunication.

3. Multi-region Architectures

Replicate data or applications across regions for high availability and disaster recovery.

4. Cost-optimized Networking

Peering reduces the cost of inter-VNet traffic compared to traditional VPN setups.

Prerequisites

Before setting up VNet peering, ensure:

1. Compatible IP Address Spaces:

   • The VNets must not have overlapping IP address ranges.

2. Proper Permissions:

   • You need the Network Contributor role or equivalent permissions in both VNets.

3. VNet Location Compatibility:

   • For global peering, ensure the VNets are in supported regions.

4. Subscriptions:

   • If the VNets are in different subscriptions, ensure they are under the same Azure Active Directory tenant.

How to Configure VNet Peering

Step 1: Set Up VNets

• Create two VNets with non-overlapping IP address spaces.

• Example:

  • VNet1: 10.0.0.0/16

  • VNet2: 10.1.0.0/16

Step 2: Initiate Peering

1. Go to the Azure Portal and navigate to the first VNet.

2. Select Peerings under the settings menu.

3. Click Add to create a peering connection.

4. Configure the following:

   • Name: Provide a unique name for the peering.

   • Peer VNet: Choose the second VNet.

   • Allow virtual network access: Yes (enables communication).

   • Allow forwarded traffic: Optional (used for routing scenarios).

   • Gateway transit: Optional (used for hub-and-spoke topologies).

Step 3: Configure the Peer VNet

1. Repeat the process for the second VNet.

2. Ensure that the peering settings in both VNets are configured symmetrically.

Step 4: Test Connectivity

• Deploy VMs in each VNet and verify connectivity using tools like ping or Test-NetConnection.

Advanced Configuration

1. Use Gateway Transit

• Allow one VNet to use another's VPN gateway for on-premises connectivity.

• Enable the Use remote gateways option on the spoke VNet and Allow gateway transit on the hub VNet.

2. Global Peering Bandwidth and Pricing

• Consider bandwidth limitations and data transfer pricing for global peering.

3. Multi-subscription Peering

• Ensure cross-subscription permissions are configured properly using Azure RBAC.

4. Network Security Groups (NSGs)

• Apply NSGs to control traffic between peered VNets.

Limitations

• VNets with overlapping IP address ranges cannot be peered.

• Maximum number of peerings per VNet:

  • 500 peerings per VNet in a single region.

• Gateway transit is supported only with VPN and ExpressRoute gateways.

• Traffic routing through a peered VNet's gateway (transitive routing) is restricted unless gateway transit is enabled.

Monitoring and Troubleshooting

Monitoring:

1. Use Azure Network Watcher to validate connections.

2. Monitor traffic and performance using Azure Monitor.

Troubleshooting:

1. Connectivity Issues

• Check NSGs and ensure appropriate inbound/outbound rules.

• Verify VNet peering status in the Azure Portal.

2. Routing Issues

• Confirm the route table configurations.

Best Practices

1. Plan IP Addressing

• Use CIDR-based subnet planning to avoid overlaps.

2. Enable Monitoring

• Continuously monitor traffic and log activity for security audits.

3. Secure Communication

• Use NSGs to limit communication to necessary ports and protocols.

4. Test Before Deployment

• Validate connectivity in a test environment before deploying to production.

Frequently Asked Questions

Can I peer VNets across different Azure subscriptions?

Yes, as long as the subscriptions are associated with the same Azure AD tenant.

Does VNet peering support IPv6?

Yes, VNet peering supports both IPv4 and IPv6 address spaces.

Can I use VNet peering for on-premises connectivity?

Yes, but you must configure gateway transit for the on-premises network to communicate via a hub VNet.

Summary

This guide equips you with the foundational knowledge and practical steps to implement VNet peering.

Let me know if you'd like further clarification or assistance with specific scenarios!